On the Complexity of Compressing Obfuscation

Transcription

1 On the Complexity of Compressing Obfuscation Gilad Asharov Naomi Ephraim Ilan Komargodski Rafael Pass Abstract Indistinguishability obfuscation has become one of the most exciting cryptographic primitives due to its far reaching applications in cryptography and other fields. However, to date, obtaining a plausibly secure construction has been an illusive task, thus motivating the study of seemingly weaker primitives that imply it, with the possibility that they will be easier to construct. In this work, we provide a systematic study of compressing obfuscation, one of the most natural and simple to describe primitives that is known to imply indistinguishability obfuscation when combined with other standard assumptions. A compressing obfuscator is roughly an indistinguishability obfuscator that outputs just a slightly compressed encoding of the truth table. This generalizes notions introduced by Lin et al. (PKC 2016) and Bitansky et al. (TCC 2016) by allowing for a broader regime of parameters. We view compressing obfuscation as an independent cryptographic primitive and show various positive and negative results concerning its power and plausibility of existence, demonstrating significant differences from full-fledged indistinguishability obfuscation. First, we show that as a cryptographic building block, compressing obfuscation is weak. In particular, when combined with one-way functions, it cannot be used (in a black-box way) to achieve public-key encryption, even under (sub-)exponential security assumptions. This is in sharp contrast to indistinguishability obfuscation, which together with one-way functions implies almost all cryptographic primitives. Second, we show that to construct compressing obfuscation with perfect correctness, one only needs to assume its existence with a very weak correctness guarantee and polynomial hardness. Namely, we show a correctness amplification transformation with optimal parameters that relies only on polynomial hardness assumptions. This implies a universal construction assuming only polynomially secure compressing obfuscation with approximate correctness. In the context of indistinguishability obfuscation, we know how to achieve such a result only under sub-exponential security assumptions together with derandomization assumptions. Lastly, we characterize the existence of compressing obfuscation with statistical security. We show that in some range of parameters and for some classes of circuits such an obfuscator exists, whereas it is unlikely to exist with better parameters or for larger classes of circuits. These positive and negative results reveal a deep connection between compressing obfuscation and various concepts in complexity theory and learning theory. Cornell Tech, New York, NY 10044, USA. asharov@cornell.edu. Supported by a Junior Fellow award from the Simons Foundation. Cornell University, Ithaca, NY 14853, USA. nephraim@cs.cornell.edu. Supported by an AFOSR grant FA Cornell Tech, New York, NY 10044, USA. komargodski@cornell.edu. Supported in part by a Packard Foundation Fellowship and by an AFOSR grant FA Cornell Tech, New York, NY 10044, USA. rafael@cs.cornell.edu. Supported in part by NSF Award CNS , NSF Award CNS , NSF Award CNS , AFOSR Award FA , a Microsoft Faculty Fellowship, and a Google Faculty Research Award.

2 Contents 1 Introduction Our Results Related Work Paper Organization Technical Overview Correctness Amplification A Universal Construction Impossibility of Key-Agreement Statistically Secure Compressing Obfuscation Preliminaries Compressing Obfuscation Correctness of Obfuscation Puncturable Pseudorandom Functions Non-Interactive Zero Knowledge Commitment Schemes Error-Correcting Codes Functional Encryption Correctness Amplification From Approximately-Correct XiO to Worst-Case Correct XiO (1/poly negl)-worst Case XiO to (1 negl)-worst Case XiO (1 negl)-worst Case Correct XiO to Perfectly Correct XiO Wrapping Up Proof of Theorem Impossibility of Key Agreement from XIO and OWFs Preliminaries Oracle-Aided Bit Agreement XiO for Oracle-Aided Circuits The Class of Reductions Proof Overview and the Oracle Γ Existence of a OWF Relative to Γ Existence of XiO Relative to Γ Breaking Perfect Key Agreement Relative to Γ Proof of Theorem Compressing Obfuscation with Statistical Security Negative Results Positive Results References 57

3 1 Introduction Program obfuscation is an intriguing and powerful concept in modern cryptography. A program obfuscator is a compiler that scrambles programs into ones that are hard to reverse engineer, while preserving their functionality. The predominant notion that captures the above concept is indistinguishability obfuscation, introduced in the seminal work of Barak et al. 15], which has inspired a vibrant area of research in recent years. Informally, indistinguishability obfuscation (io) guarantees that the obfuscations of two functionally equivalent circuits of the same size are computationally indistinguishable. There are two main reasons why io has become such a central primitive its potential to exist and its power. As opposed to stronger notions of obfuscation that are known not to exist for all circuits (such as virtual black-box obfuscation 15]), general purpose io might be realizable, and in fact, since the work of Garg et al. 44] many candidate constructions of io have emerged 44, 32, 14, 6, 86, 50, 9, 91, 49]. As for its power, io serves as a hub for an impressive number of cryptographic primitives, ranging from classical concepts such as one-way functions 69], public-key encryption 88], trapdoor permutations 20], ZAPs and non-interactive witness-indistinguishable proofs 19], to ones that are still far beyond the reach of any other assumption, such as deniable encryption 88], fully-secure multi-input functional encryption 53], and many others. Despite immense efforts to construct io from concrete assumptions, all currently known candidate constructions have been shown to be vulnerable to attacks 8, 13, 27, 37, 38, 39, 78, 82]. 1 Another line of work shows how to construct io from some seemingly simpler or weaker generic cryptographic primitives (together with more standard assumptions). These include primitives such as low-degree multilinear maps 71, 72, 5, 75], compact functional encryption schemes 4, 21], compact randomized encodings 74], and variants of exponentially-efficient indistinguishability obfuscation 18, 73], all of which have no known instantiations from standard assumptions. The difficulty of constructing io motivates the study of such seemingly weaker cryptographic primitives, with the hope that such a study could elucidate the foundations of io. In this paper, we focus on the primitive which is arguably the simplest to define and the closest in its nature to io: indistinguishability obfuscation with nontrivial compression, or in short, compressing obfuscation. Compressing obfuscation. For functions t(s, n) and l(s, n), we say that an obfuscator O is (t, l)-compressing if, when given a circuit C of size s on n inputs, the obfuscator O(C) runs in time t(s, n) and has output length l(s, n). In the case of io, both t and l are polynomial in s and n, but in general, we allow them to be super-polynomial, or even (sub-)exponential. This definition generalizes existing relaxations of io (such as XiO and SXiO which we discuss below) and allows us to characterize the extent to which efficiency impacts the existence, applications, and limitations of obfuscation. Throughout this work, we mostly focus on the following two settings of parameters, which intuitively, are relaxed versions of io that only allow obfuscating circuits with logarithmic input size: XiO. The first (and weaker) setting of parameters is that of exponentially-efficient io (XiO), introduced by Lin et al. 73]. XiO allows the running time of the obfuscator to be as large as the truth table of the circuit to be obfuscated, but requires the size of the obfuscated circuit to be slightly smaller than its truth table. More formally, for a function c (which denotes the compression of XiO), we say that c-xio is a (t, l)-compressing obfuscator with t(s, n) = poly(2 n, s) and l(s, n) = c(n) poly(s). When there exists a constant ɛ > 0 such that c(n) = 2 n(1 ɛ), we denote c-xio simply by XiO. Lin et al. 73] showed that XiO for all circuits and Learning With Errors (LWE), both with sub-exponential security, imply io. 1 Some of the attacks apply directly to the candidate construction while some only apply to the underlying graded encoding scheme 40, 49, 41]. See Ananth et al. 2, Appendix A] for an overview. 1

4 SXiO. The second (and stronger) setting of parameters is that of strong XiO (SXiO), introduced by Bitansky et al. 18]. SXiO requires that the time to obfuscate a circuit is slightly smaller than the truth table of the circuit. More formally, for a function c, we say that c-sxio is a (t, l)-compressing obfuscator with t(s, n) = l(s, n) = c(n) poly(s). Similar to the above case, when there exists some constant ɛ > 0 such that c(n) = 2 n(1 ɛ), we denote this simply by SXiO. Bitansky et al. 18] showed that SXiO and any public-key encryption, both with sub-exponential security, imply io. This was strengthened by Kitigawa et al. 68], who showed that SXiO and any one-way function, with sub-exponential security, imply io. These two settings of parameters have seemingly minor differences, but nevertheless, are not known to be equivalent. Moreover, as mentioned above, their known implications illustrate the richness of the world of compressing obfuscation, and indicate that efficiency is a fundamental property of obfuscation. Since the regime of parameters for compressing obfuscation is somewhat non-standard (especially, the distinction between time and output length in XiO), it has not received adequate attention, and as a result we know very little about it. In this work, we provide a systematic study of compressing obfuscation as an independent cryptographic primitive, and thus characterize the extent to which efficiency plays a role in obfuscation. 1.1 Our Results Our results span a wide range of topics concerning compressing obfuscation, including limitations of its power, existence in an information-theoretic setting, constructions for limited classes of functions, and correctness amplification. XiO vs. PKE. We start by exploring the power of XiO as an independent cryptographic primitive. One the one hand, we know that when combined with LWE it implies full-fledged io (which in turn implies almost all cryptographic primitives). On the other hand, as opposed to io 69], we do not even know whether XiO by itself 2 implies one-way functions the most basic cryptographic primitive. One of the original applications of obfuscation, which was proposed by Diffie and Hellman back in ], is to transform private-key encryption into public-key encryption. When combined with one-way functions, io can be used to perform such a transformation, as shown by 44, 88]. This transformation can also be obtained starting from sub-exponentially secure SXiO and one-way functions 68]. This raises the same question regarding XiO: Can it bridge the gap between the world of privatekey cryptography and that of public-key cryptography? We provide evidence that it cannot, and thus show a concrete lower bound on its potential power. Theorem 1.1 (informal). There is no fully black-box construction of a perfectly correct key-agreement protocol from one-way functions and perfectly correct 2 (1 ɛ)n -XiO for any constant ɛ > 0, even with sub-exponential security. Our result follows the extended black-box model of 47, 48], and in particular holds even if the XiO scheme can obfuscate oracle-aided circuits which contain both XiO and one-way function gates. This model is stronger than the one considered in 10, 11, 16], in which the obfuscator is allowed to obfuscate circuits with only one-way function gates. By allowing circuits to contain all possible oracle gates, our framework captures the self-feeding techniques used in the context of io and related primitives. Thus, our result is one of the strongest forms of the classical separation between one-way functions and pubic-key encryption due to Impagliazzo and Rudich 64]. We note that our 2 Assuming any average- or worst-case hardness assumption. This is necessary as XiO exists unconditionally if P = NP. 2

5 result does not separate imperfectly correct key-agreement from (perfectly correct) XiO and one-way functions. Previously, by combining 10, 18], a related result follows but in a significantly weaker blackbox model and for XiO with somewhat weak compression. Concretely, 10] showed a separation of perfect key-agreement from imperfect private-key FE in a black-box model where one can obfuscate functions that have only one-way function gates, and 18] showed a black-box construction of 2 n/2 - XiO from such private-key FE. This implies a separation from 2 (1 ɛ)n -XiO where 0 < ɛ 1/2, and when only allowing XiO to obfuscate circuits containing one-way function gates. Statistical security. Our result that it is unlikely that key-agreement can be constructed from XiO and one-way functions can be viewed as good news, as it hints that XiO is a somewhat weak primitive, and therefore it might be possible to base its existence on well-studied assumptions. In fact, it might even be possible that compressing obfuscation exists unconditionally (even if P NP). Toward this end, we show almost matching upper and lower bounds for the existence of compressing obfuscation with statistical security, both for the case of perfect correctness and that of approximate correctness. Our results show tight connections between compressing obfuscation and various concepts in complexity theory and learning and thus we view this as one of the central takeaways of this work. For the case of approximate correctness, we show a 2 nɛ -SXiO for ɛ > 0 for small classes of circuits (such as AC 0 ). On the other hand, we show that such an obfuscator cannot exist for larger classes of circuits that contain a (puncturable) PRF, unless SAT AM2 nɛ ], where SAT is the problem of deciding whether a formula is unsatisfiable and AMt(n)] is the class of all languages on instances of size n that have an AM protocol in which the running time of the verifier and the message sizes are at most t(n). Theorem 1.2 (informal). There exists a statistically secure and approximately correct 2 nɛ -SXiO for AC 0 and ɛ > 0. On the contrary, unless SAT AM2 nɛ ], there is no such obfuscator for any class that contains a (puncturable) PRF. This result naturally leads to the question of whether we can get a similar statement for the case of perfect correctness. We are unable to get such a result for SXiO, but we do get it for XiO, albeit with worse compression. 3 Theorem 1.3 (informal). There exists a 2 n(1 ɛ) -XiO for ɛ 1/poly log(n) with statistical security and perfect correctness for AC 0. Ruling out statistically secure XiO with any compression is left as an open problem. We do show that unless SAT AM2 c(1 ɛ)n ] for a universal constant c N, there is no statistically secure and perfectly correct 2 n(1 ɛ) -SXiO for AC 0 (see Theorem 6.2). It is known, by the recent result of Williams 90], that SAT AMÕ(2n/2 )]. However, it might be that for larger values of ɛ (such as ɛ = 1 (0.1/c) or even ɛ = 1 o(1)) it holds that SAT / AM2 c(1 ɛ)n ]. The positive results are based on classical (PAC) learning algorithms 89, 76] and the circuit compression algorithm of 36]. Both negative results above rely on and extend the following analogous arguments from the io literature 55, 29]. The first is of Goldwasser and Rothblum 55] who showed that statistical io with perfect correctness cannot exist unless NP SZK. The second is of Brakerski, Brzuska, and Fleischhacker 29] who extended the result of 55] to handle statistical io with approximate correctness by showing that unless conp AM, it cannot exist (assuming additionally one-way functions). 3 The obfuscator we get is weak due to two reasons. First, the class for which we obtain XiO does not contain (puncturable) PRFs and thus is not sufficient for known transformations to io. Second, the compression we achieve is not enough for cryptographic applications. 3

6 Correctness amplification. Our results above suggest that approximate correctness might be easier to achieve than perfect correctness, in an information theoretic setting. Is this the case also in the computational setting? To address this question, we show a transformation from approximately correct XiO to perfectly correct XiO, assuming the original XiO applies to a large enough class of circuits. This transformation achieves optimal parameters and only incurs polynomial security loss, indicating that correctness is not the bottleneck in constructing XiO from standard assumptions. Theorem 1.4 (informal). If there exists an XiO scheme for all polynomial size circuits which is correct with probability (1/2 + 1/poly) over the the inputs and the obfuscation, then there exists a perfectly correct XiO scheme, assuming polynomially-secure LWE and NIZKs. 4 Prior to this result, there were no correctness amplification procedures for XiO which required only polynomial security or achieved optimal parameters. Correctness amplifications for related primitives, such as those of 22, 3] for io, do not apply to XiO, since they involve a random selfreducibility step which inherently requires running the obfuscator on polynomial-size inputs. The transformation of Bitansky et al. 17] shows how to transform an XiO which is correct with probability 0.99 over the inputs and the obfuscation to a weak notion of functional encryption. This notion of functional encryption was known to imply a relaxed notion of XiO, namely, XiO with preprocessing 73]. Our transformation works for a much weaker notion of correctness (as opposed to.99) and results in full-fledged, perfectly correct XiO (as opposed to XiO with preprocessing). Technically, our regime of parameters introduces many difficulties which require us to tailor a construction that is based on a delicate combination of various types of error-correcting codes together with cryptographic primitives (inspired by 81]). While we show this transformation for the case of XiO, our result extends naturally to the case of SXiO. In particular, we can obtain perfectly correct XiO from the transformation, or SXiO which is correct on all but a negligible fraction of obfuscations. Universal construction. Using our correctness amplification procedure, we obtain a universal construction of an XiO (resp. SXiO), assuming only the mere existence of XiO (resp. SXiO) with polynomial security and only (very weak) approximate correctness. For XiO, the resulting universal construction satisfies perfect correctness. Note that in the context of io, perfect correctness is known to be achievable using only derandomization assumptions 23]. Our result is obtained by adapting the robust combiner of Ananth et al. 2] to the setting of XiO (resp. SXiO) and then using our correctness amplification transformation. 1.2 Related Work Universal construction and robust combiners. It was shown in 59] that, in general, a robust combiner implies the existence of a universal construction. A robust combiner for a cryptographic primitive takes several candidate constructions of the primitive and outputs one construction that is as good as any of the input constructions (see also 62, 63]). A combiner for encryption appears already in 12], and perhaps the most known universal construction is that of one-way functions, due to 70]. Combiners for obfuscation were given in 43, 2, 3]. The work of 2] shows a robust combiner for indistinguishability obfuscation with sub-exponential security loss, and assuming either LWE or DDH. The work of 3] removes the sub-exponential assumption, but does not go all the way to io it shows a transforming combiner from candidates for indistinguishability obfuscation of which one of them is polynomially secure to a secure functional encryption scheme. 4 Using the recent work of 67], we believe that the assumption on NIZKs can be removed. We leave this modification to future work. 4

7 Existence of io. Mahmoody et al. 79] showed that io cannot be based on random oracles or on constant degree multilinear maps (in a black-box way). Garg et al. 47] showed that io cannot be constructed from any type of encryption that has an all-or-nothing type of security (as in PKE or Witness Encryption). Lastly, Garg et al. 48] studied the minimal compactness needed from a functional encryption scheme to imply io, and gave matching constructions, following 4, 21]. In both 47, 48], the results hold even if the primitives upon which io cannot be based can receive circuits containing gates for each of the primitive s subroutines. Limitations on the power of io were studied by Asharov and Segev 10, 11] and by Bitansky, Degwekar and Vaikuntanathan 16]. So far, we know that io and one-way functions do not imply collision-resistant hash functions 10], domain-invariant one-way permutations 11], and hardness in NP conp 16]. Also, io and one-way permutations do not imply hardness in SZK 16]. Relaxations of io. In addition to (S)XiO, another relaxation of io is decomposable obfuscation (do), which was recently introduced by Liu and Zhandry 77]. Decomposable obfuscation relaxes the security requirement of io by requiring that obfuscations of circuits which satisfy a new notion of functional equivalence are indistinguishable. In particular, it is efficient to verify if two circuits satisfy their notion of functional equivalence, unlike traditional functional equivalence. This is similar to the case of XiO, because it is applied on circuits with only logarithmic input size for polynomial time applications. In 77], they question whether io with efficiently verifiable functional equivalence implies public-key encryption. In fact, they have to assume the existence of public-key encryption for all the applications of do that they show which imply public-key encryption. As mentioned above, we show a separation from XiO and OWFs to public key encryption. Therefore, our result serves as further evidence to the hypothesis that (non) efficiently checkable functional equivalence is one of the key factors which distinguishes io from notions like XiO and do. Compressing primitives. Recently, compressing witness encryption (WE) was studied by Brakerski et al. 30]. Witness encryption, introduced by Garg et al. 45], allows encrypting a message relative to a statement x L for a language L NP such that anyone holding a witness to the statement can decrypt the message, but if x / L, then it is computationally hard to decrypt. A compressing WE is such that the encryption time (and thus size) is less than the time it takes to solve the NP instance. Brakerski et al. showed that such a WE scheme can be constructed under standard assumptions (such as LWE or bilinear maps with sub-exponential security). This is in sharp contrast to SXiO (or even XiO). 1.3 Paper Organization We proceed with a technical overview of our results. Then, in Section 3 we overview our definitions. In Section 4 we show our correctness amplification, and in Section 5 we prove our impossibility result of construction key-agreement protocol from XiO and OWFs. In Section 6 we present our positive and negative regarding statistically secure XiO. 2 Technical Overview In this section we provide a high level overview of our results. We start with the correctness amplification (and its application to universal constructions) in Section 2.1. We proceed with the limitations on the power of XiO in Section 2.2, and conclude with our constructions and impossibilities of statistically secure XiO in Section

8 2.1 Correctness Amplification Our correctness amplification for XiO is a transformation from an approximately correct XiO scheme to an XiO scheme that is perfectly correct. Here, by approximately correct, we mean an XiO scheme which is correct with probability (1/2+1/poly) over the inputs and the obfuscation, and by perfectly correct, we mean an XiO scheme which is correct on all inputs and all obfuscations with probability 1. The starting point for our correctness amplification is the transformation of Bitansky et al. 17], which transforms an XiO scheme which is correct with probability.99 over the obfuscation and the inputs to a functional encryption (FE) scheme which is correct on all inputs (with all but negligible probability). At a high level, FE is a type of encryption which enables generating functional keys, such that decryption of a ciphertext corresponding to a message m with a functional key for a circuit C results in C(m). The hope is that if we can adapt the 17] transformation to our case, then we can attempt to transform the correct FE back to XiO. From approximately correct XiO to correct FE. In 17], they first observe that by averaging and standard BPP-type amplification, their XiO scheme can be amplified to one which is correct with probability.9 only over the inputs. Then, they transform this XiO to a correct FE using an error-correcting code, as follows. To encrypt a message m, they obfuscate a circuit G m which, on input i, outputs an encryption of (m, i) using a succinct functional encryption scheme sfe, that exists based on LWE 54]. Call the resulting obfuscated circuit G m. To generate a functional key for a circuit C, they generate an sfe functional key for a circuit C that on input (m, i) outputs the ith bit of ECC(C(m)), where ECC is an error-correcting code. To decrypt, they first evaluate the obfuscated circuit G m on every input i to obtain a list of encryptions of (m, i) for all i. Then, they use the sfe functional key to decrypt each of these encryptions and finally, decode the result. The reason why this is enough for 17] is that, first, by the BPP amplification, they obtain correct encryptions of (m, i) for a.9 fraction of i s, with all but negligible probability over the obfuscation. This lets them calculate (ECC(C(m)) i for a large ( 3/4) fraction of the i s. Second, they rely on the error-correcting code which, given (ECC(C(m)) i for many ( 3/4) i s, can recover C(m). In our case, a natural attempt would be to replicate their first step and then use an errorcorrecting code with better parameters for the second step. However, this approach fails: we are only guaranteed correctness with probability (1/2 + 1/poly(λ)) over the obfuscation and the inputs, which is not enough for averaging and BPP-type amplification. Nevertheless, the framework of 17] is still a convenient starting point for us. Our first challenge is to obtain every bit of the encryption of (m, i) for sufficiently many i s. One idea is to apply an error-correcting code to the output of G m, so that for any index i for which G m correctly outputs enough of the bits of the encryption of (m, i), we can decode successfully. While this is not possible for our regime of parameters using classical binary error-correcting codes, this is achievable with binary list-decodable codes, which output a list of possibilities upon decoding a codeword, rather than a unique decoding. Therefore, we modify the circuit G m to output a list-decodable encoding of the encryption of (m, i), one bit at a time, which will be decoded at decryption time. This introduces the complication that list-decoding gives many possibilities for the encryption of (m, i) for each i. To address this, we employ a combination of NIZK proofs and commitments which enable us to uniquely decode from the decoded list. At a high level, we impose the requirement that in addition to the ciphertext of (m, i), the circuit G m on input i must output a NIZK proof certifying that the ciphertext is correct. This ensures that we obtain sfe encryptions of (m, i) for a noticeable fraction of the inputs i. Thus, we have replaced the BPP-type amplification of 17] with list-decodable codes, NIZK proofs, and commitment schemes. After this change, we have that for a noticeable (but small, say 1%) fraction of the i s, we obtain a correct encryption of (m, i). If we decrypt this with the sfe secret key of 17], we would hope to obtain (ECC(C(m))) i for enough i s such that ECC can successfully decode to C(m), but this 6

9 does not quite work because we only have a very small fraction of correct encryptions. Indeed, no (binary) error-correcting code can recover from more than 50% error! To overcome this, we notice that we have additional information (thanks to the NIZK) we know exactly for which i s we obtained correct sfe encryptions of (m, i). Therefore, we replace the error-correcting code in the 17] construction with a code that can recover from a high fraction (say 99%) of erasures. To obtain optimal parameters, this requires us to have sfe output alphabet symbols rather than bits, but this does not impact the correctness of the scheme. Combining these two steps, we obtain an FE scheme with amplified correctness. As far as we know, this combination of list-decodable codes and erasure-correcting codes is novel to this work. These techniques nearly work, with the caveat that our first step only gives us the correct encryptions of enough (m, i) when the obfuscator uses good random coins. Nevertheless, this can be remedied by using BPP-type amplification and leveraging the fact that our FE scheme always decrypts to or to the correct output, C(m). Therefore, this results in an FE scheme which is correct for all inputs with all but negligible probability. From correct FE to correct XiO. The only remaining step is to transform the FE back to XiO. The FE scheme we obtain from the above transformations is weakly sublinear compact, a weak notion of compactness which does not suffice for known transformations to XiO without assuming sub-exponential security. FE with weak sublinear compactness has the property that while the encryption time is proportional to the circuit size of circuits supported by the scheme, the ciphertext lengths are compact. We take advantage of this by having an obfuscation consist of many short encryptions, which exactly captures the requirement that the obfuscator has a long running time but a nontrivial output length. In more detail, to obfuscate a circuit C, we encrypt a circuit C x for each x {0, 1} n/2, where C x ( ) = C(x ). Then, we generate a functional key sk for a circuit T, which, given a circuit on n/2 bits, outputs its truth table. The ciphertexts and functional key serve as our obfuscation, which gives the desired efficiency for XiO exactly because of the weak compactness of FE. To evaluate the obfuscation on an input x = x 1 x 2, we use FE to decrypt the ciphertext corresponding to C x1 with sk, and select the element of the truth table corresponding to x 2. This transformation yields a correct and secure XiO scheme, in which for any circuit C and every input x, it holds that the obfuscation of C at the point x agrees with C(x) with all but negligible probability. In the technical section, we present the full construction in a more streamlined manner. In particular, we compose the XiO to FE transformation with the FE to XiO transformation described above, which yields a transformation from approximately correct XiO to XiO that is correct on any input with all but negligible probability over the randomness of the obfuscator. Given an XiO which is correct on any input with all but negligible probability, we can then apply another BPP-style transformation (this time we apply parallel repetitions and then take the majority vote) to get an obfuscator that for all but negligible fraction of the obfuscations the obfuscated circuit completely agrees with the input circuit. To conclude our correctness amplification, we observe that the running time for XiO allows the obfuscator to compute the truth table of the circuit it obfuscates. Therefore, we modify the obfuscator to check if an obfuscation C of a circuit C is correct by running over all inputs. If C agrees with C, then C is used as the obfuscation, and if not, we simply output C in the clear. This takes advantage of the running time of XiO and incurs only a negligible loss in security, resulting in a perfectly correct XiO A Universal Construction An important application of correctness amplification is a universal construction. We show a universal construction for XiO (resp. SXiO) by combining our correctness amplification with the results of 2]. 7

10 A universal construction for a primitive can be obtained via a robust combiner for that primitive, which is a transformation that takes several candidate constructions of the primitive and outputs one construction that is as good as any of the input constructions. It is robust in the sense that it should work even if some of the candidates have weak correctness guarantees, have bad running times, etc. A universal construction is then acquired by enumerating over all possible candidates while making sure not to be fooled by bad faulty candidates so that we end up with a correct candidate. Thus, it is guaranteed that the resulting candidate is correct and secure. We observe that a combiner (i.e, a secure candidate assuming one exists) for XiO (resp. SXiO) can be obtained by adapting the construction for io of Ananth et al. 2] which further relied on LWE. In the case of io, their construction, on input circuit C, obfuscates a variant of C that has the same input domain as C. In the security proof, they go input-by-input over this obfuscated circuit which results in a sub-exponential security loss. We notice that, in the case of XiO (resp. SXiO), the number of inputs in the above obfuscated circuit is at most logarithmic, so the very same proof can be carried out, losing only a polynomial term. Then, to make the combiner robust we use our correctness amplification procedure. This results in a universal construction of perfect XiO (resp. imperfect SXiO), assuming the existence of XiO (resp. SXiO) with very weak correctness. 2.2 Impossibility of Key-Agreement To illustrate the difference between the power of compressing obfuscation and io, we revisit one of the primary applications of io transforming a private-key scheme into a public-key one. In the context of io, this transformation is performed by obfuscating the encryption circuit of a private-key encryption scheme, while embedding the symmetric secret key into the circuit. The public key is then simply the obfuscated circuit. In order to encrypt a message m, one has to choose randomness r and run the obfuscated circuit on (m, r) to obtain the ciphertext c. An important property of this construction is the ability to obfuscate circuits with hardwired cryptography, e.g., the evaluation circuit of a pseudorandom function with a hardwired PRF key. Since XiO is efficient only when obfuscating circuits with logarithmic size input, one cannot use the above approach with XiO even when the message space is limited to a single bit. Given the public key, the adversary can learn the entire truth table of the obfuscated circuit by enumerating over all inputs, thereby breaking the secrecy of the underlying message. Our proof formalizes this intuition, and shows that other attempts at such a transformation cannot succeed. We formalize this using a black-box separation, showing that no perfectly complete bit-agreement protocol can be constructed from perfectly correct XiO and one-way functions. Modeling non-black-box constructions. Constructions that are based on indistinguishability obfuscation are almost always non-black-box in the underlying primitives. In the example above, the circuit being obfuscated is the encryption algorithm of a private-key encryption scheme and thus contains a specific circuit representation of the underlying one-way function as a sub-circuit. More complex constructions also use techniques which require obfuscating a circuit which itself may obfuscate smaller circuits (and evaluate smaller obfuscations). To capture these types of constructions, we extend the framework of Asharov and Segev 10, 11], which enables the obfuscator to run on oracle-aided circuits, i.e., circuits that might contain oracle gates. In this manner, the specific representation of the one-way function in the example above is replaced by an oracle gate, which allows the construction to be black-box relative to the one-way function. While the results in 10, 11] hold relative to an obfuscator for circuits which can only contain one-way function gates, our separation allows circuits to contain both XiO and one-way function gates. This captures the known techniques to obtain public-key encryption from io, and is similar to the class of constructions captured in the framework of 47, 48]. We refer to 10, 11] for 8

11 details regarding this model (see also 16]), and for examples of how it captures common techniques such as the punctured programming technique of Sahai and Waters 88] and its variants. The oracle. Our result is obtained by presenting an oracle Γ relative to which the following properties hold: (1) there exists a one-way function f; (2) there exists a perfectly-correct, exponentiallysecure XiO scheme xio for all oracle-aided circuits C xio,f ; (3) for any perfectly complete bitagreement protocol between two parties, there exists an eavesdropping adversary that makes polynomially many queries to the oracle Γ and succeeds to recover the bit from the transcript of the interaction. Our oracle consists of three functions, similar to that of 11]: (1) a random function f that will serve as the one-way function; (2) a random length-increasing function O that will serve as the obfuscator (an obfuscation of an oracle-aided circuit C is a handle Ĉ = O(C, r) for a random string r), and (3) a function E that enables evaluations of obfuscated circuits: given some obfuscated circuit Ĉ and an input x, the function E looks for the lexicographically first pair (C, r) for which O(C, r) = Ĉ and returns CΓ (x). Note that if C is some circuit of size s, it can only make oracle calls to Γ on inputs smaller than s, and thus the above definition is not circular. The main difference in modeling XiO as an oracle rather than io as in 11] is the expansion factor of the oracle O. In order to capture compressing obfuscation, the expansion factor that we use is (sub-)exponential in the input size of the circuit C. While this modification is somewhat minor in syntax, it has a major effect if the expansion factor is small then it is possible to construct a polynomial time key-agreement protocol relative to such an oracle (following the construction of Sahai and Waters 88]), whereas for a larger expansion factor this becomes impossible. As for the existence of one-way functions and indistinguishability of obfuscated circuits, we derive these almost for free from 11]. In what follows, we first discuss how to break a perfectly complete key-agreement protocol relative to a random oracle as a warmup. We then discuss the challenges when dealing with our (more structured) oracle, and discuss why our approach does not work for io. Separating key-agreement from a random oracle. As a warmup, we first give an overview of the result of Impagliazzo and Rudich 64] and Brakerski et al. 31], who show that for any two polynomial time oracle-aided algorithms A and B, if A f, B f implements a perfectly-correct bitagreement protocol for all functions f, then there exists an oracle-aided algorithm E such that for any function f learns the agreed bit with probability 1 by making only a polynomial number of oracle queries to f. The adversary E is given a transcript T which is a result of an interaction of A and B relative to some oracle f, and is required to find the key k that A and B agreed on. Denote by ra (resp. r B ) the randomness used by A (resp. B) in the real interaction that produced T. The adversary E initializes a set of queries/answers Q, which will contain the actual queries made by E to the true oracle f. It also initializes a multiset K =, and repeats the following polynomially many times: Simulation: E simulates an oracle f that is consistent with Q (i.e., f (w) = f(w) for every w Q), and randomness r A, r B such that the interaction Af (r A ), Bf (r B ) (i.e., running the protocol with respect to the function f with randomness r A for A and r B for B) results in the transcript T and key k. E adds k to K. Update: E asks f for all queries made to f by A or B in the simulation that are not already in Q, and updates the set Q. At the end of the attack, E outputs the majority value in K. The proof then relies on the following observation: In each iteration, either (1) in the update phase, E finds at least one new query that is also made by either A or B during the real interaction with the function f that produced the transcript T ; or (2) E adds the real key k to K. 9

12 Intuitively, if (1) does not hold, then the perfect correctness of the bit-agreement protocol guarantees that (2) holds. In particular, in that case it is possible to construct a hybrid oracle f that behaves like f in the real execution of A, i.e., A f (ra ), and behaves like f in the simulated evaluation of B, i.e., B f (r B ). According to this hybrid oracle, an execution of A with randomness ra and an execution of B with randomness r B would result in the transcript T, A would output k (as in the real execution) and B would output k (as in the simulation). Perfect correctness then tells us that k = k. This hybrid oracle can be constructed since the intersection of the set of queries made in the simulated execution and those made in the real execution is already contained in Q, and therefore there are no contradicting queries (i.e., queries w that appear in both executions for which f(w) f (w)). As the number of oracle queries A and B make during the execution of the protocol is some polynomial q, the majority value in K is guaranteed to be the correct key after 2q + 1 iterations. Attacking key-agreement relative to our oracle. We extend the attack described above relative to our oracle Γ, which is a significantly more structured than a random oracle and therefore raises several challenges. Recall that our oracle Γ consists of a three functions f, O, and E, that are dependent. Following the above template, we construct an adversary that simulates an execution that produces the transcript T with some simulated oracle Γ = (f, O, E ). There are three main challenges with this approach: 1. The first challenge is to show that A and B cannot gain extra information from oracle queries that are not in the intersection of their query sets. In particular, in the case of a random oracle, the shared information between A and B can be recovered completely from their shared oracle queries and the transcript T. In our setting, since the oracles f, O, and E have dependence, this may not be the case. 2. The second challenge is due to the fact that queries made by A and B could cause hidden oracle queries. Since we allow obfuscated circuits to contain oracle gates, this could occur when obfuscated circuits are evaluated by A and B. In particular, the output of the evaluation could reveal query-answer pairs on queries that were never directly asked by A or B. Thus, we must show that A and B cannot indirectly learn too many query-answer pairs this way. 3. The third challenge is to show that a hybrid oracle Γ = ( f, Õ, Ẽ) can be constructed from the two sets of queries, i.e., from the simulated execution and the real execution. As an example, suppose there is a query E(Ĉ, x) that is performed in the real execution and a different query E (Ĉ, y) that appears in the simulated execution. Such two queries raise a challenge for constructing a hybrid oracle Ẽ which is consistent with these two queries simultaneously. In order to see this, suppose that in the real execution, the lexicographically first pair (C, r) for which O(C, r) = Ĉ is some pair (C 1, r 1 ), and in the simulated execution the lexicographically first pair (C, r) for which O (C, r) = Ĉ is some pair (C 2, r 2 ) (C 1, r 1 ). As a result, E(Ĉ, x) in the real execution is mapped to C1 Γ (x), whereas E (Ĉ, y) is mapped to CΓ 2 (y), but C 1 C 2. We solve the first challenge by adding additional oracle queries to the set of real queries that the parties make, which makes the dependence between the oracles more explicit. We solve the second challenge by showing that any oracle query can only cause polynomially many additional indirect queries. In particular, for a circuit C Γ of size s, any indirect queries are on circuits smaller than s. We use this in conjunction with the (sub-exponential) expansion factor of our oracle O to show that the number of indirect queries are bounded, and thus the adversary E can learn any indirect queries that A and B learn by only making polynomially many additional queries. As for the third challenge, interestingly, our proof does not completely solve it, and we do not fully control to which one of the two circuits C 1 or C 2 the hybrid oracle Ẽ maps Ĉ. Nevertheless, 10

13 we design the adversary such that, whenever there is such a contradicting scenario between the real execution and the simulated execution, it must hold that C 1 and C 2 are functionally equivalent with respect to the hybrid oracle Γ. Otherwise, i.e., when there is some input for which C 1 and C 2 do not agree, we claim that the adversary learns a new query that is associated with the real execution. As a consequence, E learns the entire truth table of any obfuscated circuit Ĉ that is associated with the real execution, which is possible due to the fact that querying the oracle Γ on all inputs of Ĉ results in polynomially many queries. Notably, for a different expansion factor of the oracle O (which results in io and not XiO), this becomes an exponential number of queries, and the above attack fails. 2.3 Statistically Secure Compressing Obfuscation This set of results is composed of two main parts. One is positive results showing that for small classes of circuits compressing obfuscation exists unconditionally. The other complements the constructions and shows that improvements in the above obfuscator, either in the compression factor or in the circuit class, will imply some nontrivial speedup for protocols solving UNSAT. We have positive and negative results both for the case of perfect correctness and for the case of approximate correctness. Negative results. First, we show that that approximately correct and statistically secure 2 nɛ - SXiO cannot exist unless conp AM2 nɛ ] for ɛ > 0. Here, we follow on the approach of 29] from the world of io. There, they show how to use io and puncturable PRFs to create two circuits that differ at a single point but their obfucations (as random variables) are statistically far. Then, they use an algorithm that can distinguish these two distributions to solve Unique-SAT which then implies that conp AM by a result of Mahmoody and Xiao 80]. We modify the argument to work with compressing obfuscation by making the two circuits receive only short inputs, and observe that the proof still goes through, but then solving Unique-SAT on short inputs (say of poly-logarithmic size). We then apply the result of Mahmoody and Xiao and finally obtain our result by scaling the parameters. Second, we show that perfectly correct and statistically secure 2 n(1 ɛ) -SXiO cannot exist unless conp AM2 (1 ɛ)n ] (with large enough 0 < ɛ < 1). For this, we construct an SZK2 (1 ɛ)n ] protocol for all NP. In this protocol, the verifier, given x L for a language L, chooses a bit b uniformly at random and obfuscates a circuit that gets a witness w as input, checks whether it is a valid witness for x and if so, it outputs b (otherwise it outputs ). This protocol can be shown to be honest-verifier statistical zero-knowledge with a verifier that runs in time 2 (1 ɛ)n for L. This argument is reminiscent to the argument of 69, 55] in the context of io. We then carefully apply the transformation of Okamoto 84] to translate this protocol into an (honest-verifier) SZK protocol for every language in conp. This implies that conp AM2 (1 ɛ)n ]. Positive results. We show that compressing obfuscators exists unconditionally for restricted classes of circuits such as AC 0 (the class of all constant-depth circuits) and Mon (the class of all monotone functions). We again construct compressing obfuscators with perfect correctness and approximate correctness. The approximately correct obfuscators are obtained by running a classical (PAC) learning algorithm 89] on the given circuit and outputting the hypothesis. Using the most efficient learning algorithms for AC 0 and Mon, we obtain compressing obfuscators for these classes. This construction is aligned with the above impossibility that says that we are unlikely to be able to get such an obfuscator for classes that contain a (puncturable) PRF. In the perfect correctness case, we use a different tool called a circuit compression algorithm 36]. In circuit compression one is given the truth table of a Boolean function f computable by some unknown circuit from a known class of circuits, and the goal is to find in time poly(2 n ) a circuit C 11